hacking from the restroom
iBLISS
introduction
$ whoami!
• Intrusion Analyst at iBLISS!• Computer Engineer!• Holds some certs !• Over 10 years having fun/studying/working with security!
• Spoken at ToorCon X (USA), H2HC IV and YSTS 2.0/3.0 (Brazil)!
agenda
• motivations • goal • why cellphones? • how? • demos • issues and concerns • conclusions
motivations
- pentest more than we used to do - just 0days? - unknown power in hands ha ha ha - new market - a lot of softwares - utilize ur phone!
cellphone myths
goal
• cellphones can do interesting stuffs
• pentest platform? nah!
• a lot of resources!!
why cellphones?
little toys(1)
• nokia e65 • symbian s60 9.1
little toys(2)
• Ipod touch 2g • mac os x
how??
• unix systems • sdk for
everything!
• ordinary tools can help
• hacking tools already done*
• wi-fi connection
pentest steps
information gathering
• browsers • almost all clients (rdp, telnet,
ftp, vnc, etc)
• portscanners – simply done in any language – nmap up and running!
nmap running on iphone/ipod touch
scanning
• nikto for web (script languages alwyas works)
exploiting
• long concept • server-side & client-side • privilege escalation
• in all we have our phones!
exploiting(server-side)
• metasploit
exploiting (client-side)
• creativity – pamp (portable apache + mysql + php) – any exploit (mainly for browsers) – social engineer and/or phishing – our first demo!
demo(1)
• what: client-side attack • tools: pamp + telnet client +
social engineer
• vuln: ie7 uninitialized memory corruption
• payload: bind port • toy: nokia e65
privilege escalation
• brute-force online – brute-force offline, necessary?
• arp poisoning • sniffers • second demo
demo(2)
• what: mitm • tool: pirni • toy: ipod touch
maintaining access
• ssh daemon & client • Netcat • stunnel
have someone ever seen that?
• neopwn • http:///www.neopwn.com/
what else?
802.11 attacks
• barbelo (wi-fi scanner) for symbian • mobile scanner (promiscuos mode)
for windows mobile
• silica & silica q from immunity (dumping and cracking)
screenshots
802.15 (bluetooth) attacks
• bluetooth scanners and some exploits (bluesnarf, etc) – btbrowser & bloover for mobile (made
in java)
screenshots
what about imagination?
rogue ap
• joikuspot – same ssid, attack is ready – user will not make diference (ad-hoc
connection)
sniffing keystrokes??
• laser rox, i know that ‒ but cellphones as well !!
• cellphones have microphones, right? • sounds into wood table?
• daniele and andrea can give a shot! :D
sms attacks
• zane & luis did a great job about that!
• manipulate pdus from cellphone (time economy)
• t.a.f.t. - http://www.blackhat.com/presentations/bh-usa-09/LACKEY/BHUSA09-Lackey-AttackingSMS-SLIDES.pdf
more?
just develop!
• sdks for everybody! – symbian, blackberry, windows mobile,
android, openmoko, iphone, more?
issues and concerns
• attacks just from inside? • qwerty always welcome ‒ virtual
kbd from ipod rox too!
• faster and better • even *jailbroken* phones limit us,
openmoko and android may rule!
• new gadgets, not just phone: zune hd
conclusions
• let’s think more in what we already have in hands
• imagination make us better hackers!
• each one make yours
$ locate me
• Contact: bruno.mphx2 *nospam* gmail.com
• Linkedin: http://linkedin.com/in/brunogoliveira
• Blog: http://g0thacked.wordpress.com/
• IRC: #[email protected] • Conferences around the globe (hope see you in H2HC)
thanks!
• organizers!!! • brazilian security friends (leo
cavallari ‒ b0ss ;), spooker, bsdaemon, anderson ramos, coideloko, flambers, mr.billy, le, c4r0l, alan castro, bogus, zucco, etc)
that’s all
terima kasih